Windows Defender AV must be configured to not join Microsoft MAPS.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-75167	WNDF-AV-000010	SV-89847r4_rule		Medium

Description
This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However Microsoft will not use this information to identify you or contact you. Possible options are: (0x0) Disabled (default) (0x1) Basic membership (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. If you enable this setting you will join Microsoft MAPS with the membership specified. If you disable or do not configure this setting you will not join Microsoft MAPS. In Windows 10 Basic membership is no longer available so setting the value to 1 or 2 enrolls the device into Advanced membership. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this feature will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting disables Microsoft Active Protection Service membership and reporting.

Description

This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However Microsoft will not use this information to identify you or contact you. Possible options are: (0x0) Disabled (default) (0x1) Basic membership (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. If you enable this setting you will join Microsoft MAPS with the membership specified. If you disable or do not configure this setting you will not join Microsoft MAPS. In Windows 10 Basic membership is no longer available so setting the value to 1 or 2 enrolls the device into Advanced membership. Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this feature will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting disables Microsoft Active Protection Service membership and reporting.

STIG	Date
MS Windows Defender Antivirus Security Technical Implementation Guide	2019-06-24

Details

Check Text ( C-74959r5_chk )
This is applicable to unclassified systems, for other systems this is Not Applicable. Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender Antivirus >> MAPS "Join Microsoft MAPS" is set to "Enabled" and "Advanced MAPS" is selected. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender\Spynet Criteria: If the value "SpynetReporting" is “REG_DWORD = 2”, this is not a finding.

Check Text ( C-74959r5_chk )

This is applicable to unclassified systems, for other systems this is Not Applicable.

Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender Antivirus >> MAPS "Join Microsoft MAPS" is set to "Enabled" and "Advanced MAPS" is selected.

Procedure: Use the Windows Registry Editor to navigate to the following key:
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet

Criteria: If the value "SpynetReporting" is “REG_DWORD = 2”, this is not a finding.

Fix Text (F-81779r5_fix)
This is applicable to unclassified systems, for other systems this is Not Applicable. Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender Antivirus >> MAPS "Join Microsoft MAPS" to "Enabled" and select "Advanced MAPS" from the drop down box.